Demoting a Samba AD DC

Contents

Introduction

In certain situations, it is necessary that you permanently remove a domain controller (DC) from Active Directory (AD). While for a regular domain member,you only delete the machine account entry, you have to demote a DC, to remove it from AD.

If a DC is not demoted correctly, your AD can get unstable. For example:

replication failures can occur.

the remaining DCs can slow down due to time outs and failed replication attempts.

verify that domain members and DCs do no longer use this host to resolve the AD DNS zones.

Demoting an Offline Domain Controller

In certain situations, such as hardware failures, it is necessary to remove a domain controller (DC) from the domain, that is no longer accessible. In this case, demote the DC using a remaining working Samba DC.

Only run this procedure if the DC to demote is no longer connected to the AD and you cannot demote it as described in Demoting an Online Domain Controller. This ensures that all changes, like password changes, are replicated onto another DC. Otherwise such changes would be lost. You can get a list of changes by using Samba-tool ldapcmp.

To remotely demote an offline DC:

Log in to a working Samba DC in the Active Directory (AD) forest.

Verify that Samba 4.4 or later is installed:

# samba --version

You cannot demote an offline remote DC from a DC that runs Samba 4.4 or earlier. Update to Samba 4.4.0 or later before you continue. For details, see Updating Samba.

You must not reconnect a DC to the network, that was demoted remotely. Your AD can get inconsistent.

In case that the demoted DC ran a DNS service for the Active Directory (AD) zones, verify that domain members and DCs do no longer use this host to resolve the AD DNS zones.

Verifying the Demotion

To manually verify that the domain controller (DC) was successfully demoted:

The steps described in this section, do not replace the official demote procedures described in the previous sections. The steps in this section are only to verify and to manually remove remaining entries, if the official demote process failed.

Log in to a Windows domain member using an account that is member of the Domain Admins group, such as the AD domain Administrator account.